The first issue is whether access to the identity of the user of a dynamic IP address is disclosure of civil identity data or access to traffic data? Due to its serious nature, traffic data can only be retained for combatting serious crime, and access must be for a purpose which is compatible with retention.
Most EU Member States' #dataretention laws do not limit access to retained IP addresses to cases of serious crime. 2/5
The AG Opinion is clear on this point: since processing of retained IP addresses is required to disclose the identity of the user, the disclosure involves access to retained traffic data. Under the existing CJEU case law, this would limit access to serious crime. The French HADOPI law, being about minor copyright infringement, does not meet this threshold.
This is the GOOD part (useful clarification) of the AG Opinion. 3/5
Unfortunately, the AG then proposes to substantially water down the existing case law on retained source IP addresses from the October 2020 La Quadrature du Net judgment.
In order to be able to investigate every possible offence committed online, the AG proposes to allow general and indiscriminate retention of source IP addresses for all cases where access to this data is the "only means of investigation".
This is much weaker than the current serious crime requirement for such retention. 4/5
Moreover, the AG does not believe that prior authorisation by a court or independent administrative authority is necessary. This is also a significant departure from the existing case law. Arguably, the proposed "only means of investigation" criterion makes independent review every more critical.
TL;DR The case is not just about the French HADOPI law. A lot is at stake for #dataretention in the forthcoming judgment! 5/5
eupolicy.social is a Mastodon instance for the EU policy bubble. Its aim is to provide a friendly and respectful discussion space for people working in the field of EU policy and to contribute to the health, diversity and growth of the fediverse.